I've heard that hash algorithms like bcrypt are more secure because they take longer to complete, and therefore take much longer to prute force, without a noticable delay for legitimate users. Would using a faster alghtithm, such as SHA-256, multiple times, be secure? For example:

2 Answers
2

Instead of that home-grown scheme, I would use PBKDF2 instead if you simply are sold on the idea of iterated hash schemes. It uses an such a scheme, although not exactly the one you have described, and is well-studied and considered secure.

However, PBKDF2 doesn't offer many advantages over bcrypt, as PBKDF2 is still vulnerable to GPU and FPGA/ASIC brute-force attacks. bcrypt resists GPU brute-forcing because of the 4K table used in the algorithm, which forces contention for the global memory bus in GPUs. But bcrypt is still potentially vulnerable to FPGA/ASIC attacks, although most people don't have to worry about that.

A newer KDF, scrypt, is also tunable for the amount of memory it uses, so it is more resistant (when properly tuned) to FPGA/ASIC attacks than bcrypt. However, scrypt is relatively new (2009) when compared to bcrypt (1999), so that may make you somewhat nervous.

Essentially, to store passwords, you should be probably using bcrypt, since it seems to hit a sweet spot of being GPU resistant as well as being sufficiently mature. But PBKDF2 and scrypt are still good; using any one of the three is really fine.

The scheme you described above has some flaws. Because you aren't seeding the hash input each iteration, you are really increasing your chance of getting collisions. This is a great example of why you should try to avoid implementing these things yourself. It's really easy to overlook something subtle that undermines your system's security.

As previously mentioned, it's much safer (and easier!) to use a well tested solution that does this for you (bcrypt, PBKDF2, etc), rather than to try to build it yourself.

The entropy loss due to collisions is negligible. Nobody has ever found even a single SHA-256 collision. There is no practical security difference between hashing a salted password multiple times and PBKDF2.
–
CodesInChaos♦May 8 '13 at 8:08